Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Ramnode Client Area Security Advisory
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Ramnode Client Area Security Advisory

AaronAaron Member
edited November 2012 in General

Just got this in my inbox... Good response and reaction by Ramnode.

Hello,

This message is to all RamNode clients. At some point within the past week, an unknown entity exploited a vulnerability in our billing system. The only damage they seem to have done was to tamper with one of our unused payment gateway modules. No billing information has been compromised.

As a result of this event, we have increased our security measures as well as hired a professional security auditor to identify and eliminate all potential threats. As an extra precaution, we will be working with the auditor to securely reinstall our billing system over the next 24 hours. You might not be able to connect to our website at certain points during this time period.

In order to ensure the security of your account, you should change any passwords which you have received from us through email if you are still using them. Client Area passwords created after July 12 are secure and uncompromised from this event. However, those who signed up on or before July 12 and those who have used the Reset Password link in the Client Area should change their Client Area passwords if they still match the ones we emailed to you. Any SolusVM and/or OpenVZ root passwords should be changed if they match the ones we emailed to you upon ordering. Please note that SolusVM itself was not compromised as part of this event.

We will be available to answer questions regarding this matter through our ticket system, although our responses might be delayed for the next 24 hours. If you need unrelated emergency support and our tickets are unavailable, please email me directly. As always, we greatly appreciate your business and continued support of RamNode as we seek to provide the best VPS hosting on the Internet.

Regards,

Nick A

Comments

  • KuJoeKuJoe Member, Host Rep

    I'm interested to know the exploit and how it was detected.

  • Most likely the boleto module:
    http://forum.whmcs.com/showthread.php?60646-WHMCS-Security-Alert

    @Aaron said: payment gateway modules

  • Yea boleto whmcs patch was sent out months ago and everyone was notified..... they didn't need to hire a security auditor to read emails.

  • If you're unable to reach support, I'm available through LET on my breaks :)!

  • Does that mean that the system has been compromised BEFORE 12th of July and it took them until NOW to find out? That would not be exactly a good response or reaction. Or, at least, a late one.

  • @Amitz

    I was thinking the same thing... Wasn't sure if it was some type of error.

  • SpiritSpirit Member
    edited November 2012

    @Amitz said: Does that mean that the system has been compromised BEFORE 12th of July and it took them until NOW to find out?

    I think that this means that after this date they didn't send out welcome mails with visible password anymore, but that's just my guessing.

    Email Address: ...mail.com

    Password: *********
    To login, visit https://clientarea....

  • kbeeziekbeezie Member
    edited November 2012

    wasn't the "boleto module" module at fault the last time there was an exploit? From day one I've had all plugins/addons removed that I were not actively using or updating.

    Unless of course it's not a new exploit, and it's the old one from over a month ago that was affected and RamNode didn't get the memo to fix/remove it.

    ie: http://blog.whmcs.com/?t=60646

  • @Amitz

    Like @spirit said, we started "mixing" up the e-mails so that the password was not supplied by the e-mail anymore. However ones before this, unfortunately contained the password and unless it was changed, risk being compromised.

    Don't worry, we've taken every step to look at what damage has been done and what measures we can do to avoid it in the future.

  • kbeeziekbeezie Member
    edited November 2012

    Usually as I do regular backups of the WHMCS database, I tend to just use the system's pruning capability to remove all sent emails older than a certain day, this kills off the risk for passwords that were sent out with reset emails or other stuff in plain text. Course I noticed when WHMCS was hacked, they didn't prune a damn thing... lest we learn from their mistakes... (I think it was revealed at one point of time when they were exploited that they themselves didn't bother to clean up their own install of the exploit).

  • marcmmarcm Member
    edited November 2012

    The only thing I could think of was:

    Out with WHMCS, in with HostBill App :D

  • I've said it before (in fact, the only thread I've made on LET so far was for another provider disclosing an exploit) but I really appreciate when companies of any sort disclose when bad things happen.

    I made peace a long time ago with the fact that vulnerabilities and exploits and data losses and data exposures and other shit is going to happen sometimes. It completely sucks, especially when it happens to you (both as a provider and as a customer) but it happens.

    Thanks @Nick_A for being upfront, plenty of people would've chosen to cover it up rather than analysing the breach, learning from it, and notifying their customers.

  • Nick_ANick_A Member, Top Host, Host Rep

    It was not the Boleto module. We applied that fix the day it came out. The Liberty Reserve module was involved, although we are not certain it was the module itself that was compromised.

    Welcome emails sent before July 12 contained visible passwords. I'm still not sure why WHMCS has that setting by default, but we obviously fixed it on July 13. That's all that part of the email was referring to.

  • I apologize - reading my post again, it seems as if I was trying to nag you with my question. That was not my intention. I am a (very happy) Ramnode customer myself.

  • Nick_ANick_A Member, Top Host, Host Rep

    It's alright, I understand that the email was not perfectly written. Thanks for your support.

  • +1 for @Nick_A. At least he came straight out with what he needs and told people exactly what to change and how it happened.

  • jarjar Patron Provider, Top Host, Veteran

    @TheHackBox said: +1 for @Nick_A. At least he came straight out with what he needs and told people exactly what to change and how it happened.

    Yep. Nothing left to imagination, just good communication. It goes a long way.

  • @jarland :P though it would have saved a lot of spitter-spatter if he just said which module was at fault :P

  • Nothing happened, so +1 for @Nick_A for handling this one really well.

  • +1 to @Nick_A, this seems like the best possible way to handle the situation. Good luck with the security audit

  • @Corey said: they didn't need to hire a security auditor to read emails.

    Maybe for insurance purposes as the auditor would have liability insurance in the event of a second attack?

Sign In or Register to comment.